RECEIVED 

Nov-06-06 06:54pm Frora-HUNTON 6 WILLIAMS NTRAL ^ CENTER M48 P 1 0/1 6 F-241 

NOV o 6 ?nnR 

v v LUUO PATENT A?PUCaTXON 

ATTORNEY DOCKET NO- 52493.000374 



REMARKS 

Reconsideration of rhis Application is respectfully requested. In response to the Office 
Action ("Action") mailed August 4, 2006, Applicants submit the following remarks. Claims 1- 
35 are pending. Applicants respectfully request that the Office reconsider and withdraw all 
outstanding rejections. 

I. NOTICE OF ALLOWABLE SUBJECT MATTER 

On p*ge 5, the Action indicates that claims 6, 7, 22, and 23 would be allowable if 
rewritten in independent form including all of the limitations of the base claim and any 
intervening claims. AppUcanta wish to thank Examiner Raymond for the indication of allowable 
subject matter in the claims. At this time, Applicants have not amended the claims as suggested 
as it is earnestly believed that the pending claims already define patentable subject matter for the 
reasons set forth below. 

II REJECTIONS UNDER 35 U.S.C § 102 

On pages 2-5, the Action rejects claims 1-5, 8-21, and 24-35 under 35 U.S.C. § 102(b) as 
allegedly being anticipated by U.S. Patent App. Pub. No. 2004/0102923 to Tracy et «L 
(hereinafter "Tracy"). Applicants respectfully traverse this rejection. For at least the following 
reasons, the Tracy does not anticipate these claims. 

A. TRACY DOES NOT QUALIFY AS PRIOR ART UNDER 35 U.S.C. § 102(b) 

35 U.S,C. § 102 states: 

A person shall be entitled to a patent unless - 

O) inn in venuon was patented or ^scribed m a primes] publication in this or a foreign country or 
in puMic use or on sale in this country, more jfean one year prio r ifag daw of application for pateM 
in the United States 
(Emphasis added.) 

The instant application was filed on March 3 1 , 2004. Tracy was published on May 27, 
2004, which is after Applicant's filing date. Thus, Tracy was not printed publication more jhan 
one year prior the date of application for patent in the United States. Accordingly, 35 U.S.C, § 
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102(b) does not apply and Applicants respectfully request thai the rejection of the claims be 
withdrawn. Further, in an attempt to expedite prosecution, Applicants submit the following 
remarks discussing how Tracy does not anticipate the pending claims. 

8. TRACY DOES NOT ANTICIPATE CLAIM 1 UNDER 35 U.S.C § 102 

The Action rejects claim 1 under 35 U.S.C. § 102 as allegedly being anticipated by 
Tracy. Applicants respectfully traverse this rejection. 

"A claim is anticipated only if each and every element as set forth in the claim is found, 
either expressly or inherently described, in a single prior an reference." Verdepaal Bros, v. 
Union Oil Co. of California . 2 USPQ2d 1051, 1053 (Fed. Cir. 1987). 

Claim 1 recites: 

A method of testing comprising: 

defining a process to be tested; 

identifying a plurality of risks associated with the process; 
quantifying each of the risks witfr a risfc val^e : 

defining a test plan for the process, the test plan including a number of 
test cases, wherein testing of foe rest cases js pfj ori pze 4 based on the risk value; 
and 

executing the test plan. 
(Emphasis added-) 

Tracy discloses a system of providing a risk assessment of a target system. See Tracy, 
Abstract. FIG. 1 of Tracy depicts a high level flow diagram 100 for the system. In 100, 
"information i* gathered pertaining to the system or network undergoing' 1 certification and 
accreditation. See Tracy, $0063. In 102, "a list of standards and/or regulations (or portions 
thereof) that the system must, or should, comply with" are selected. See Tracy, 10066. In 104, 
the system can select a set of test procedures (againsr which the system can be tested). See 
Tracy, <p367. In 106, the user can (continue to) add, delete and/or edit requirements selected at 
step 102 and/or test procedures selected at step 104. See Tracy, 10068, In 108, upon completion 
of testing, the risk assessment step involves assessing for each requirement failure (should any 
exist) the vulnerability of the system, as well as the level of the threat as determined by the 
information gathered, and the risk assessment 108 provides as output an estimate of the risk level 
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for each requirement category. See Tracy, 10069, $0070. Then, at 1 10, documentation can be 
printed that includes information pertaining to the first five elements tha; would enable an 
accreditation decision (manual or automated) to be made based on the inputs and outputs 
respectively provided and generated in steps 100, 102, 104, 106, and/or 108. See Tracy, 10070. 

For at least the following reasons, Tracy does not anticipate claim I under 35 U.S.C § 

102. 

Applicants note that, based on the sections of Tracy cited in the rejection, it is clear that 
the Action is not analyzing the claim as a whole (see M.P.E.P. § 2106 (Ii)(C), stating that claims 
"must be considered as a whole/ 7 ). The Action inconsistently applies Tracy to reject various 
elements of claim 1 and impermissibly dissects and isolates the claim elements recited in claim 1 
without regard to the relationships specified in the claim. Specifically, the Action fail* to 
consider the relationship between the claimed •'quantifying each of the risks with a risk value" 
(emphasis added) and the claimed "defining a test pl^n for iht process, the test plan including a 
number of test cases, wherein tesppg of the test cases is priorubged based on the risk value" 
(emphasis added) recited in claim J. 

To reject the claimed "quantifying each of the risks with a risk value," the Action cites \ 
0070 of Trucy, See Action, page 2. Referring to the flow diagram depicted in FIG. 1, Tracy 
discloses that estimates of a risk level are output by a risk assessment in 108. See Tracy, 10070. 
To reject the claimed "defining a test plan for the process, the test plan including a number of 
test cases, wherein testing of the test cases is prioritized based on the risk value" the Action 
relies on the test procedures disclosed in 10076 of Tracy. In this paragraph, Tracy discloses that: 

Presentation manager 206 can also communicate with administration module 230 to, for 
example, update test procedures in knowledge base 228. Administrative module 230 
facilitate* communication between presentation manager 206 and persistence layer 218. 
Persistence layer 2 1 8 can be used, for example, to facilitate adding new requirements, 
editing existing requirements, adding a new test procedure and/or editing an existing test 
procedure to (or within) knowledge base 228. Persistence layer 218 can communicate 
with event module 2 14 which, in turn can, for example, notify react module 204 to alert 
an analyst that a new test is to be conducted. 
See Tracy, 10076. 
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Thus, the Action appears to argue thai the testing of the test procedures described in 50076 of 
Tracy are prioritized by the estimates of a risk level output by a risk assessment in 108 from 
|0070. This assertion is wholly unsupported by Tracy, 

Tracy does not disclose a relationship between the estimates of risk levels and a 
prioritization of test procedures similar 10 the priority relationship between the claimed risk 
values and the claimed test cases recited in claim 1. In fact, Tracy discloses that the estimates of 
the risk level are obtained aftgr completion of the testing using the testing procedures. See 
Tracy, 10069, stating that fci upon completion of testing , the risk assessment step . . . involves 
assessing for each requirement failure (should any exist) the vulnerability of the system, as well 
as the level of the threat as determined by the information gathered" (emphasis added). 

The flow diagram in FIG. 21 of Tracy also clearly illustrates that the risk values are 
determined after completion of testing, and hence cannot be used to prioritize the testing of the 
test procedures. In 2104 of Tracy, test procedures are generated, and in 2106, the tests are 
executed. See Tracy, FIG. 21. Later, in 21 14, the system calculates risks based on a "bucket risk 
formula." See Tracy, FIG. 21. Hence, the testing of the test procedures of Tracy cannot be 
prioritized based on risk level estimates because the risk level estimates are obtained frftey the 
lest procedures are completed By citing these paragraphs, it is apparent that the Action is not 
interpreting claim 1 as a whole. Rather, the Action impermissibly dissects various claim 
elements without regard to relationships defined in the claim. 

Moreover, the Action has not shown that Tracy discloses "defining a test plan for the 
process, the test plan including a number of test cases, wherein resting of ifte test cases is 
prioritized based on the risk value" (emphasis added), as recited in claim I. % 0076 cited in the 
Action discloses test procedures, but does not disclose that the testing of the test procedures is 
prioritized based on a risk value, contrary to the statements made in the Action, Thus, the Action 
has not established that Tracy discloses each and every claim element in order to anticipate claim 
1 under 35 U.S.C. § 102. Therefore, claim I is allowable over Tracy. 

Additionally, it is noted that Tracy does disclose "a scheme whereby system 
vulnerabilities can be continuously assessed by considering newly discovered threats, and 
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updating resting requirements and procedures to account for such threats." See Tracy, 10069. 
However, this paragraph of Tracy does not disclose a priority relationship between the updated 
testing procedures and the estimates of the risk level The updating disclosed in 10069 of Tracy 
is based on newly discovered threats, and is not based on prioritizing testing of the updated 
testing procedures based on the estimates of the risk level- 
Accordingly, claim 1 is in condition for allowance and allowance thereof is respectfully 
requested. Claims 2-31 are also allowable for reasons analogous to those given in support of 
claim L 

C. RESPONSE TO THE REJECTION OF CLAIM 32 UNDER 35 U.S,C. § 102 

The Action rejects claim 32 under 35 U.S.C, § 102 as allegedly being anticipated by 
Tracy. Applicants respectfully traverse thi* rejection. 

Claim 32 recites: 

An article of manufacture comprising: 

a computer useable medium having computer readable program code 
means embodied therein for testing a process or a system, tne computer readable 
program code means in said article of manufacture comprising: 

computer readable program code means for causing the computer to 
receive and store data identifying a plurality of risks associated with the Proems 
or sysiem : 

computer readable program code means for causing the computer to 
receive and store a risk value associated with each of the plurality of risks; 

computer readable program code mean* for causing the computer to 
receive and store data defining a test plan for the process or sysrem, the test plan 
including at feast one test case, the at least one test case comprising at least one 
step; 

computer readable program code means for causing the computer to 
receive and store data associating each of die plurality of risks wirh a step of a 
test case; and 

computer readable program code means for causing the compuier to 
generate a report listing the risks jn order ofjhg risk value. 

For at Wast the following reasons, Tracy does not anticipate claim 32 under 35 U.S.C. § 

102. 
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Similar to the remarks provided above, the Action does not consider claim 32 as a whole 
and impermissible dissects claim elements without considering the relationships of the claim 
elements specified in the claim. Specifically, Tracy does not disclose the relationship between 
the claimed "computer readable program code means for causing the computer to receive and 
store a risk value associated wiih each of the plurality of risks " (emphasis added) and the claimed 
"computer readable program code means for causing the computer to generate arepprt listing foe 
r^sks in order of the risk value" (emphasis added) recited in claim 32. 

To reject the claimed storing of "a risk value associated with each of [a] plurality of 
risks," the Action relies on «p)70 of Tracy, which discloses that estimates of a risk level are 
output by a risk assessment step 108 in the now diagram of HO. 1. To reject ihc claimed 
generating a Report listing the risks in order of the risk value" the Action relies on 10066, 
<J0069, and 110070 of Tracy, which disclose that "documentation can be printed 1 10 that includes 
information pertaining to the first five elen^s {hat w ould enable an accreditation decision 
(manual or automated) to be made based on the inputs and outputs respectively provided and 
generated in steps 100, 102, 104, 106, and/or 108" (emphasis added). See Tracy, |0070. 

However, Tracy does not disclose that the printed documentation including fcV the first five 
elements" lists the 'Tirst five elements" in order of the estimates of a risk level output by the risk 
assessment step 108 from the flow diagram of FIG. 1 . Because the printed document of Tracy 
does not lisi the "first five elements" in the order of the estimates of a risk level, Tracy does not 
disclose "computer readable program code means for causing the computer to generate a report 
listing the risks in order of the risk value" (emphasis added), as recited in claim 32. Thus, the 
Action has not shown that Tracy anticipates claim 32 under 35 U.S.C. § 102. Therefore, claim 
32 is allowable over Tracy and allowance thereof is respectfully requested. 

Claim* 33-35 also are in condition for allowance due to their dependence on claim 32 and 
allowance thereof is respectfully requested. 
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CONCLUSION 



For at least the reasons outlined above, Applicants respectfully assert that the applied an 
fails to fairly teach or suggest the claimed invention and that the application should therefore be 
allowed. Favorable reconsideration and allowance of the claims are respectfully solicited. 

It is believed that no further fees are due in connection with this filing. However, if any 
fees are due, the Commissioner is hereby authorized to charge such fees (or credit overpayments) 
to the undersigned's Deposit Account No. 50-0206. 

Respectfully submitted, 



HUNTON & WILLIAMS LLP 
Intellectual Property Department 
1900 K Street, N.W. 
Suite 1200 

Washington, DC 20006 
(202) 955-1500 (telephone) 
(202) 778-2201 (facsimile) 



HUNTON & WILLIAMS LLP 




By: 
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